topic Thank you Aditya and Ahmed in Network Security

Confusion related to access-list and access-group

diwakar410 — Tue, 12 Mar 2019 07:45:32 GMT

Hello there,

I have cisco ASA 5515-x version 9.2.2 and ASDM version 7.2.

The inside interface and IP is 192.168.1.1/24 and outside interface is x.x.x.x.

I had opened certain ports like 1234,4567,8900 and so on.

Today i needed to open 7000 port and i created NAT rule and access-list as well. Then i created the access-group with command:

"access-group port-forward in interface outside " and all of a sudden i found all other access-list rules are gone and only existing rule for 7000 exists.

Do we need to specify only one access-group rule for all the ports in the same interface?
Should the access-group for opening ports like 1234,4567 and so on should have the same access-group name?

Please help.

Thank you in advnace.

Hi Diwakar,

Aditya Ganjoo — Tue, 17 May 2016 12:21:33 GMT

Hi Diwakar,

Yes you are correct.

Only one access-group can be applied on interface in one direction.

So if you need to modify any ACL rules you need to do on the same access-list which in turn would be binded to the access-group on the interface.

In your case only the access-group would have been removed, the access-list would be still on the ASA.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

You can revert your changes

ahmed-ejaz — Tue, 17 May 2016 13:50:58 GMT

You can revert your changes by reapplying the previous access list:

'access-group outside_access_in in interface outside' just make sure that your previous access list name was 'outside_access_in'. Once it is applied then you can add in the same access list for port 7000.

Regards,

Ahmed

Thank you Aditya and Ahmed

diwakar410 — Thu, 19 May 2016 03:01:34 GMT

Thank you Aditya and Ahmed for your input. I am pretty much sure what you mean now but let me just clear the air more.

i need to open ports 1234, 4567, 7890 and so on. so what will be the command line:
access-list any-name extended permit tcp any hostname 192.168.1.50 eq 1234
access-list any-name extended permit tcp any hostname 192.168.1.51 eq 4567
access-list any-name extended permit tcp any hostname 192.168.1.52 eq 7890

access-group any-name in interface outside

should this be the command line line or i can change the name of access-list in every steps?
What if i have to open new ports 9012, should the access group name be same? What about the access-list, should the name be same for every access-rule we make?

Hi Diwakar,

Aditya Ganjoo — Thu, 19 May 2016 03:23:44 GMT

Hi Diwakar,

The name of the access-list will always be the same.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

This can either be through

ahmed-ejaz — Thu, 19 May 2016 08:06:18 GMT

This can either be through command line or can be done through ASDM, though ASDM will be much easier. The best way to do it is by creating objects i-e SERVER1 IP 192.168.1.50, then in the access policies create a new rule and use these objects instead of IP addresses (just a neater way of doing it) and open the required posts.

There is only a single access-group applied on every firewall interface i-e inside_access_in on the inside interface (this is by default) outside_access_in on the outside interface.

If you want to manually add an entry in the list then first check what is the name of access list applied on the interface, if its outside_access_in then just add another entry:

Example:

access-list outside_access_in extended permit icmp any any echo-reply

I hope the above helps.

Regards,

Ahmed